Canada: Insurance & Reinsurance 2018

INTRODUCTION

Insurance companies and policyholders in Canada are facing new
risks and challenges, as they always have. Risk resulting from
cyber losses and climate change, however, are not merely
incremental changes in the insurance world. Rather, they are risks
that are both rapidly evolving and difficult to predict. As always
in the insurance industry, new risks are met with a creative and
insightful underwriting and brokering response. Innovative
solutions are required. At the same time, however, existing
insurance solutions provide useful foundations for managing
emerging risk. Business interruption coverage is a prime example.
Business interruption coverage has, traditionally, been included
with first-party bricks and mortar property coverage. This
insurance has been aimed at protecting the future income stream of
protected entities, and has a long history of success protecting
policyholders.

However, emerging and unpredictable risks like cyber-risk and
climate change pose new challenges for both insurers providing
business interruption coverage and their customers. Such new risks
have resulted in an evolution of business interruption coverage to
ensure that policyholders are protected from the uncertainty
presented by modern digital business realities and a rapidly
changing climate.

A. CYBER BUSINESS INTERRUPTION

Computer operations and data are at the heart of modern
business. Interruption of systems or loss of data would be
crippling to virtually every Canadian enterprise. With the advent
of data breach, ransomware, and Distributed Denial of Service
(DDoS) attacks, the primary risk of business interruption has
changed from physical damage to bricks and mortar infrastructure to
disruption of computer systems or loss of information.
Policyholders are only just beginning to awaken to this risk, and
insurers are moving quickly to insure it properly. While these
emerging trends are coalescing, however, there is likely to be
significant friction between policyholders with traditional
first-party coverage or minimal cyber-coverage and their
insurers.

This section of the article gives an outline of the problems now
seen to be arising, an analysis of the coverage provided by bricks
and mortar policies to cyber-losses, and identifies some of the
challenges facing cyber-carriers.

1. Cyber attacks and business interruption

Since late 2016 and 2017 we have seen major cyber interruptions
in the form of Distributed Denial of Service (DDoS) and ransomware
attacks. These attacks, while generally resolved within hours,
affected large parts of the world economy.

For example, in late 2016, the Mirai virus was used to attack
Dyn, Inc., which provides internet infrastructure to many Fortune
500 companies in the United States including Starbucks, Airbnb,
Amazon, Netflix, Visa and many others. The virus had propagated
through tens of millions of Internet of Things (IoT) devices. At 7
a.m. on October 26, 2016 those IoT devices were directed to contact
Dyn's servers, resulting in an amount of traffic that
overwhelmed those servers, such that they could not serve Dyn's
clients. The initial attack was resolved in about two-and-a-half
hours, but two more attacks were also launched. Dyn had resolved
the issue by 6:11 p.m. The total period of the attack was just over
eleven hours, but many of Dyn's client's websites and
portals had been affected during that time, and could not operate
properly. The losses to Dyn's clients were significant.

Similarly, mid-2017 witnessed the WannaCry, Petya and NotPetya
ransomware attacks. The ransomware infected many thousands of
computer networks, shutting them down until either ransom was paid,
or work-arounds were put into place. Again, many companies resolved
their issues within hours, but some were out of service for days.
Business impacts were significant. WannaCry, Petya and NotPetya are
only three examples of a growing problem of ransomware. Many
businesses are victims of ransomware viruses, and other forms of
data breach, which require the partial or complete suspension of
computer operations. Income losses are suffered as the result of
such events.

Canadian businesses and other organisations have traditionally
relied on first-party property coverage for protection of their
earnings stream through business interruption insurance. However,
that coverage is not well structured for the electronic age, as
they require "direct physical loss" to covered property
to trigger business interruption coverage. What direct physical
loss has occurred as the result of a cyber-event?

Cyber policies are increasingly being used to fill the gap in
coverage for systems or data-based business interruptions.

2. Insurance coverage for business interruption

Business interruption coverage indemnifies policyholders for
income lost when damage to covered property disrupts the
policyholders' business operations.1 Traditional
first-party policies require that three conditions be satisfied to
trigger coverage: (1) for direct physical loss or damage; (2) of
covered property; and (3) resulting from a covered cause of
loss.2 Of significance is the requirement for direct
physical loss or damage to the covered property. Some policies have
defined covered property to include exclusively "tangible
property".3 Economic loss alone is insufficient to
trigger coverage under most traditional first-party insurance
policies.4

Courts have been called upon to determine whether or not
interruptions caused by cyber-attacks constitute "direct
physical loss or damage" to covered and/or tangible
property.5 Does the temporary detainment of virtual
information constitute physical damage for the purpose of a
business interruption policy? Canadian case law has, unfortunately,
shed little light on the issue. South of the border, however,
several American authorities have considered similar issues.

In America Online, Inc. v. St. Paul Mercury Ins.
Co6 AOL had released a new version of its software
to the public. Unfortunately for the internet provider, that new
software caused damage to customers' computer systems and
pre-existing software. A class action lawsuit was filed and settled
shortly thereafter. AOL tendered the defence to their insurer,
under a policy that provided coverage for "physical damage to
tangible property". The insurer denied coverage and AOL sued.
The Fourth Circuit Court held that damage to software did not
constitute physical damage to tangible property, and as such, did
not trigger coverage under the policy. In so finding, the Court
created a distinction between damage to hardware and software,
noting that only damage to the former would constitute physical
damage to tangible property, as the latter consists only of
recorded data and information.

In contrast, in Ingram7, Ingram, a wholesale
distributor that relied on the use of a computer network known as
the Impulse system to track its customers, products, and daily
transactions, purchased a primary all-risk policy that covered
"[r]eal, and personal property, business income and operations
in the world wherever situated except for U.S. Embargo
Countries" and insured against "All Risks of direct
physical loss or damage from any cause, howsoever or wheresoever
occurring, including general average, salvage charges or other
charges, expenses and freight". A power outage resulted in a
loss of programming information on a number of computers, which in
turn resulted in a loss of connection at six locations, at which
Ingram was, therefore, unable to conduct business. In coming to its
conclusion on the issue of coverage, the District Court ruled as
follows:

"At a time when computer technology dominates our
professional as well as personal lives, the Court must side with
Ingram's broader definition of "physical damage." The
Court finds that "physical damage" is not restricted to
the physical destruction or harm of computer circuitry but includes
loss of access, loss of use, and loss of
functionality."

A similar result was reached in Landmark American Insurance
v. Gulf Coast Analytical Laboratories8 – a
business interruption loss was covered in circumstances wherein the
insured could no longer use its computer systems because of a
virus. The court's analysis focused on the particular language
used in the policy, particularly coverage for "direct physical
loss ... of valuable papers and records, including those which
exist on electronic or magnetic media for which duplicates do not
exist". Such language implied that the insurer regarded lost
electronic data as a "physical loss", capable of
triggering business interruption coverage.

Despite the inherent incompatibility of the foregoing decisions,
each has been referenced in subsequent jurisprudence with both
approval and disapproval as the case may be and, as such, the
status on the physical damage requirement as it applies to data and
electronic information is far from apparent.9 It is,
therefore, important for insured parties, who depend heavily on
their cyber-networks, to conduct a careful review of their
coverage.

In an effort at increased certainty, certain insurance providers
have added specific limitations to their policies that address
"electronic media and records",10 whereas
other policies specifically exclude cyber-related
losses.11 Further, even in cases where cyber-related
business interruption may be covered, traditional policies often
require a complete cessation of operation to trigger
coverage,12 leaving businesses exposed in the event of
slowdown or brief interruption.13

As companies increasingly depend on the use of data and network
connectivity to conduct business, including those who continue to
operate traditional brick and mortar locations, reliance on
traditional first-party business interruption coverage may leave
many businesses at risk in the face of a cyber-attack or network
shutdown. Given this heavy reliance on cyber data and services, and
the uncertainty of coverage under traditional property policies, it
may be time that businesses, in any industry, consider the adoption
of a cyber-policy to mitigate their risk and exposure to a shutdown
or diminution of production as a result of a cyber event.

3. Cyber Business Interruption Insurance and its
Challenges

At the outset of any discussion of cyber policies, it must be
noted that not only is there no standard form of cyber policy;
there is not even a standard scope of coverage. Different policies
may provide vastly different protection from one another. Some may
cover business interruption, some may not. The only way to
determine the scope of a cyber-policy is through review of the
language employed. That said, where it exists, it can be generally
stated that most business interruption coverage in cyber policies
will share a common goal with such coverage found in first-party
property policies: insurance for the future stream of income of the
business, resulting from a covered loss.

However, the structure of such coverage in a cyber policy must
differ in fundamental ways from its property-based cousin. The
business interruption coverage found in traditional property
policies was inherently conservative, in that it would only respond
to the specific interruption occurring at covered premises
resulting from physical damage to covered property caused by a
covered peril. If losses were suffered that did not result
specifically from the covered loss, but simultaneously with such
covered loss, those losses were not recoverable under the
policy.

Cyber coverage, however, must hinge on different triggering
events. Generally speaking, as there is no physical damage that
results from a cyber event,14 it is difficult to say
"where" a cyber loss took place, and the perils covered
by cyber policies may be "specified" as opposed to
"all-risk" in nature. While the purpose of business
interruption coverage remains the same as between traditional
insurance and cyber insurance, the structure of the coverage is
different in a number of fundamental ways.

With respect to the loss itself under a cyber policy, business
interruption coverage will generally be triggered if there is a
necessary disruption of the insured's own systems. What,
however, is the insured's "own system"? This is a
particularly acute problem in the cyber world, as many digital
services are outsourced. Again, different policies will treat this
question in different ways. Does the insured's system include
off-site servers owned by others? What if that server is leased in
whole or in part to the insured? Is software and data part of the
system, or must the interruption be related to hardware alone? Is
it necessary that the disruption be complete, or will a partial
disruption or slow-down be sufficient to trigger coverage?

With respect to the location of the loss. Given that systems are
invariably linked to other computer systems through communications
equipment, where does the insured's system end, and the
third-party system begin? What connections qualify as the
insured's own system? Will a loss that affects the internet, or
large-scale communications system, as a whole, be covered or
excluded as a catastrophic loss?

As regards the cause of loss itself, what events are sufficient
to trigger coverage? Must the event be caused, in its entirety,
through the malicious and volitional acts of third parties, or can
an accidental event trigger coverage? That is to say, must the
disruption to the insured's systems be the result of a
malicious virus, hacker or DDoS attacker, or will coverage be
available from shutting down a sector of the insured's system,
following the accidental loss of an unsecure laptop? Must the
shut-down be "necessary", or is it sufficient that the
insured make a good faith decision that a disruption of computer
operations is in its best interests or those of its clients?

There is significant variation in policies as to what time
period the policy will cover. Cyber policies will normally reflect
protection for a lost profit, through assessment of the actual lost
net profit (or increased net loss) suffered. However, assessment of
such loss will generally not be based on the same period as in a
traditional insurance policy. Some policies insure only income lost
in the period during which the disruption is ongoing. The period of
interruption will generally begin within a waiting period based
upon a set number of hours (often 12 or fewer), rather than days or
weeks as is normally the case with traditional business
interruption coverage. Once the waiting period has ended, the
policy will respond to the business interruption loss. As noted,
though, some cyber policies are structured so that once electronic
operations are restored, the insurer will no longer pay amounts
lost by the insured for the interruption to its business. Other
policies, however, are more consistent with bricks and mortar
business interruption, in that they cover the insured for a period
of restoration, wherein an assessment of the insured's ongoing
lost income following the incident is insured, taking into account
the trend of the business before and after the disruption and
continuing/non-continuing fixed costs. Different businesses will be
better served by one policy or the other. Retail operations which
may recover quickly from an outage may be better served by paying a
lower premium for the limited coverage period. Other businesses
that may suffer a reputational harm as the result of an outage may
wish to pay more in premium to obtain restoration period
coverage.

An additional consideration is whether the insured will need
Contingent Cyber Business Interruption ("CBI") coverage.
Although there are more than a billion websites on the internet,
those websites depend on a relatively small number of companies to
keep the infrastructure underlying electronic communications
operating.15 The magnitude of this dependence was
demonstrated during the Dyn DDoS attack. While typical cyber
policies bought by small to medium businesses do not provide CBI
coverage, many of the policies provided to larger enterprises do.
As a better understanding of the scope of cyber business
interruption risk is gained, insurers are beginning to offer CBI
cyber coverage on a more widespread basis. At the same time, such
coverage is generally subject to notable restrictions. The insured
must identify the specific entity whose failure will trigger the
coverage. Also, insurers have sought to limit their exposure to a
massive cyber event, through catastrophe exclusions. A cyber event
affecting a sector of internet service or cloud provider, for
example, could result in major losses globally. Insurers are
generally not prepared to insure that risk.

Cyber business interruption in Canada closely resembles business
interruption coverage in traditional bricks and mortar forms. There
are, however, notable differences in the events required to trigger
coverage, and the manner in which loss is calculated. This is a
nascent area of business interruption coverage, and uncertainties
remain. The risk is obvious, but the response from insurers
continues to develop.

In this episode of the Blaneys Podcast, the head of Blaney McMurtry LLP’s Family Law Group, and a certified specialist in family law, James Edney provides an advance run down of the changes proposed for a coming major amendment to Canada’s federal Divorce Act;

In this episode of the Blaneys Podcast, the head of Blaney McMurtry LLP’s Family Law Group, and a certified specialist in family law, James Edney provides an advance run down of the changes proposed for a coming major amendment to Canada’s federal Divorce Act; the first such overhaul in twenty years.

In this episode of the Blaneys Podcast, U.S. immigration law expert Henry Chang considers the issues that Canadians will encounter at the Canada-U.S. border, as a result of recent changes including the Cannabis Act, the Pre-clearance Act, and the new United States Customs and Border Protection policy on border searches of electronic devices.

In this episode of the Blaneys Podcast, U.S. immigration law expert Henry Chang considers the issues that Canadians will encounter at the Canada-U.S. border, as a result of recent changes including the Cannabis Act, the Pre-clearance Act, and the new United States Customs and Border Protection policy on border searches of electronic devices.

In this webinar, the presenters will discuss what constitutes a conflict of interest when representing multiple clients (especially competitors) before CIPO. Would a competitor’s prior art being cited against each constitute a conflict?

In a recent decision, the Saskatchewan Court of Queen's
Bench held that an exclusionary clause in a landlord's home
insurance policy, which excluded coverage to property used for the
production of drugs, was not unjust or
unreasonable,

This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).

Email Address

Company Name

Password

Confirm Password

Position

Mondaq Topics -- Select your Interests

Accounting

Anti-trust

Commercial

Compliance

Consumer

Criminal

Employment

Energy

Environment

Family

Finance

Government

Healthcare

Immigration

Insolvency

Insurance

International

IP

Law Performance

Law Practice

Litigation

Media & IT

Privacy

Real Estate

Strategy

Tax

Technology

Transport

Wealth Mgt

Regions

Africa

Asia

Asia Pacific

Australasia

Canada

Caribbean

Europe

European Union

Latin America

Middle East

U.K.

United States

Worldwide Updates

Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.

To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access

No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq

No, please do not send me promotional communications from Mondaq

Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions